Hidden in plain sight: How IoT will make us more vulnerable

By Gregory E. Bautista

March 07, 2018

CYBERCRIMINALS are as relentless as guerilla fighters of old. Armed with the same technology as the big guns, and throttled only by paper laws and policies, and the prospect of prison time, they prey on happless victims and operate right infront of them. The new breed of cybercriminals have gamified the cybercrime platform and changed the ways of attack.

“People are really good at gaming any kind of system. If you set up any kind of rules people figure out any way to cheat,” David Holmes, F5 Networks Global Security Evangelist said as he offered this theory on why malware attacks are more pervasive than solutions.

“They will figure out the boundaries, its almost uncanny, they (attackers) can figure out almost any rule system,” he explains as I ask if this is the new normal for cybersecurity.

“Absolutely,” he said as we started to look at how the attack surfaces has changed with weeks of discovering malware, attack vector or pattern.

As an example we review how the attacks have developed from simple malware, to IoT attacks to thingbots. And now these pervasive thingbots operate in plain sight, in the many devices that we have literally on hand and around us. This threat surface includes artificial intelligence and machine learning.

And what operates in plain sight are those little devices we don’t see but are watching, hearing, sensing and counting us—the Internet of Things (IoT). According to research firm Gartner, in about two years there will be some 20.4 billion IoT devices globally. The Japanese finance company, SoftBank, in studying its growth portfolio came up with an estimate of 1 trillion devices by 2035.

Holmes sat down with me to talk about the cybersecurity firm’s latest study “The Hunt for IoT Devices That Threaten Our Modern Way Of Life.” The research, penned by his colleagues at F5 Labs, Sara Boddy and Justin Shattuck, zeroed in on the activities already affected by attacks via IoT devices.

Many of these devices are common, be it part of government projects like smart cities, flood control projects or public Wi-Fi spots or smart houses and condominiums to control lights, airconditioners, lock or unlock doors among other things.

The problem with IoT devices is that they continue to be designed as appliances, brainless, security-less appliances. Connect one to a power and source and it will do what it needs to do. Like a flat iron. Plug and press. Or play. The very design of an IoT device is an input source for a data. There was no consciousness on how much security should be ingrained in them to thwart attacks by notifying the network could be compromised. And easy prey for thingbots.

A thingbot is a loose term to describe a malware embedded into a system using an Internet connection. This set up enables a hacker to be able to access whatever that device is for. Camera images for example are sold on the Dark Net for voyeurism fans. Or to criminals to see the layout of a building. A thingbot becomes part of a compromised system and in this particular discussion the thingbots thrive on IoT.

The list is long but here are some examples.

Simple system attacks called “Aidra” (and its portable equivalent “LightAidra”)sneaked into home routers, smart TVs, set-top digi boxes, DVRs, VoIP devices like baby monitors, and IP cameras. More vicious attacks involve messing with the telemetrics of semi-autonomous cars, the most popular of recent vintage was the attack on the Jeep that caused a recall of 1.4-million vehicles. Still more vicious use toys, like Mattel’s Internet-connected “Hello Barbie” personal assistant.

In the Hello Barbie case security researchers saw the vulnerability in the toy’s accompanying app, discovering several loopholes that allowed hackers to eavesdrop on communications between it and the cloud servers it connects to. The possibility here was kids who had Hello Barbie could become prey to some pedophiliac vulture.

In Germany, smartwatches designed for people wanting to watch over their kids has been hacked by a similar malware, allowing hackers to peek into children’s location, see their text messages or even photos.

“There are many pretty scary scenarios,” Holmes explained as flicking to an interesting slide in the study. “Smart ovens can be cause a fire if not secure. Credit card and banking devices are pretty easy to compromise too.” he said.

“Dyreza” and “Trickbot” search for wireless routers. Once a vulnerable one is found it embeds itself and accesses the computer it is connected to. So whether a mobile device or desktop it will embed a Trojan to find important bank information and attack, unseen, moving funds from bank accounts to its operators pockets.

“And the attack patterns have changed completely,” Holmes stressed pointing out how attackers have moved from the traditional, reconnaissance scans, to brute force attacks (to build a system, install malware or inject an autobuild thingbot) and then settling down to “pwnd” (the hacker, IT-ish term means ‘vulnerable’ or ‘waiting to be attacked’) systems, to simply scattering attacks to open unsuspecting pwnd systems.

Why the shift?

Directly fertilizing the ecosystem with malware simply opens up more opportunities. There is no need to spend time on looking for a victim and employing a brute force attack. Based on the data presented by Holmes there are enough vulnerable systems waiting to be compromised.

And the plethora of options depending on the devices infected are many. Since it is game-ified everything from run-of-the-mill DDoS, to illegal cryptocurrency mining, data theft, down to political hacking and cyberwarfare can result. In one case in 2015, cyberattackers cut electricity to nearly a quarter-million Ukrainians two days before Christmas, skillfully manning power grid equipment run by control boxes monitored via the Internet.

And by the sheer number of devices already in place, making them secure and monitoring each will require a huge resource allocation, if not a huge dent in global bandwidth.

Column of the Day

‘As an agency of the UN, the Office of the UN High Commissioner for Human Rights is expected to fulfill its duties within the framework set out by the purposes and principles of the UN Charter.’ – Chinese spokesman Lu Kang.

About Malaya

Malaya Business Insight's weekday sections treat readers to timely articles on shipping, banking, information and technology, automotive and motoring, real estate and property development, travel and tourism and people and sectoral events. Special issues and supplements are designed to enrich current information and data files of readers with pre-selected topics of national and local significance.